Thomas France

Secure Web Design Concepts

Instructor: Jeff Scott

Dated: 07/29/2011


An Overview of Website Security

Policies and Procedures

for Web Programmers


(Written by Thomas France)




Table of Contents:






The 5 Prerequisites for Secure Websites


I have determined that there are 5 Prerequisites for a Secure Website. These prerequisites for Website Security would be:


1. Well thought out, detailed Security Policies and Procedures.

2. Servers with secure configurations

3. SSL (Secure Socket Layer encryption)

4. A knowledgeable Web Programmer

5. A Knowledgeable Security Administrator

Without any one of these 5 suggested required resources, a websites security is significantly reduced. Policies can vary depending on the business or service. Servers must be secured. Secured encryption is a must have during things like user authentication and access. An educated Web Programmer is invaluable, in as much as an IT security staff member is.


There a literally a plethora of ways a hacker can infiltrate your website, in as much as a scammer or spammer does as well. You want to cover yourself legally, and being secure with decent logs are your

defense. However it takes years to be versed well enough in all the various aspects in order to be an accomplished professional that can handle all the latest security concerns.




Seven Steps at Design Time for Secure Websites


This is a very very concise list, and any step listed here may consist of am extremely large amount of information and require knowledge. But these steps are more of a "Guideline at Design Time" list that exists throughout the entire life of the project. The mention of design time is to drive home the importance integrating security immediately.


  1. Beginning at the Project Design stage is crucial and must be prepared for by drawing up Security Procedures and Policies accordingly.


  1. Determine how to handle every detail of:

a.. Error Reporting

b. Error & Information Logging


  1. Determine Risk at Every project Design, Use-Case and coding stage.


  1. Depending on the degree of Risk, and even if there is none, the following 4 User-Security aspects need to be weighed and addressed...

i. Authentication

ii. Access Authorization

iii. Validation

iv. Session Security


  1. Be sure configuration aspects for applications and servers are well addressed for security concerns. This includes remote administration logging such as for VPN services.


  1. Invoke Security Testing measures and a process to handle correcting errors or security holes.


  1. Be sure someone will handle the systems security, specifically server and system security, and assist by training this IT person in aspects such as viewing the logs.


This is not a checklist, but more of a summarical description that includes all the various aspects that need to be covered. It does not include any detailed information, and, in fact, the more detailed information I am providing below here now is not detailed enough for you to know everything there is to know about Web Security.


However, it does cover these seven steps and will explain things more clearly as well as bring up some things you probably hadn't thought of. As you continue on, you will begin to realize the incredible scope of information that this single topic covers, and that only an educated and experienced person can handle making sure your special project is safe and secure.








Web Security Policies and Procedures


Putting policies and procedures in place gives structure to achieving the goal of security. The more thought out and well prepared these policies and procedures are the better, as they entail a lot of

information. You don't want to leave anything out, as it may be crucial at some point in time.


The various businesses and institutions have their own policies and procedures in place, and some are in adherence to strict compliance with recommended guidelines by higher institutions and organizations. The FDIC requires their members to follow certain guidelines. The medical profession also has thier own policies to abide by, such as HIPPA.


The Health Insurance Portability and Accountability Act (Or HIPPA) has specific rules, such as standing a minimum of 4 feet behind a person getting a prescription at a pharmacy counter. As you can imagine, these kinds of policies can be very in depth and complicated, as well. But it is very necessary that you abide by whatever governing authority may have such policy and procedural guidelines to adhere to.


Popular policies are Privacy Policies which are there to help protect users and inform them that their information they are sharing with your system is not being sold or shared. Another is called Terms Of Service, or TOS, which lays out what the user and the systems relationships entail in agreement for using the systems services. The TOS may describe what you can and should not do, or state that any pictures uploaded will become the property of said system.


ID Theft, Hacking Attempts, Phishing, Pharming, Spyware, Adware, SQL Attacks, Disgruntled Employee, Stack/Buffer Overflows, Angry Mate, Wireless Access Point, 5 year old kid... it takes alot of work to create and run a "secure" website or web application, let alone work with all of the latest and greatest technologies which also have there own security concerns and aspects. It can truly be mind boggling and takes a person years in order to become anywhere near an expert in the field of

IT and Web Security.



Minimizing and Weighing the Risks


As each and every step of the project is gone through, Security must be considered and and risks weighed into the scheme of things according to Security Policies and Guidelines.


To help minimize risk, methods like input validation and only providing the most minimal information needed can aid that goal. The less risk, the less threat.


Evaluating the risk is tricky, you need to consider what is being done as well as how it is being done. Aspects like a user login has more risk than, say, a view of content, and should therefore be more seriously worked with. If it accesses the Database, it's a high risk.


Being knowledgeable comes in big time here. A Web Programmer will want to protect the password. There's a ton of tricks, but only one is the most secure method of all to handle the situation. More on that later.




User Authorization, Access and Session Security


User Authentication, Access Authorization and Session Security are the three big players that Web Programmers are concerned with. Authentication determines if the "user" is the user authorized to access the system in the first place. Access Authorization helps keep levels of security throughout the site. And Session Security helps ensure that the person the system is conversing with isn't having thier session hijacked by someone unauthorized.


  1. Authentication

  2. Access and Authorization

  3. Session Security


It is these three aspects that a Web Programmer wants to make sure are all handled correctly if the system is to be somewhat secure at all.





Handling and Logging Activity and Errors


When a user doesn't have the right access or authorization, this is a type of error that is easily handled. However, be fully aware of the possible chances such as exceptions occurring! ALL should be logged and recorded on the server.





App and Server Secure Configurations


The Server and the Software it runs all need to be looked at as well. These need to be configured to be as safe as possible, using knowledge specific to these areas. A Linux Server Administrator will pribably know about handling such a task, for example.


He may tell you right away that the Desktop machine you want to use as a server needs to have two hard drives, seperating the operating system and the actual web servers files, therefore making things more secure. There are likely well over a dozen things to make sure of on a server to make sure the security vulnerabilities are taken care of.




IT Security Administration



Lastly, Security cannot be on auto-pilot. It takes a real, live actual person to make sure things are staying secure by seeing is users are adhering to policy and procedure, if anyone is making any attempts to hack the system by checking logs and performing the ever important redundant backups of the system on a set schedule.


Summary


Planning plays a huge role in the scheme of things where security is concerned, especially in a web project where technologies require a lot of thought and consideration. Starting at the outset and carefully going over every detail repeatedly as a project is designed is crucial in ensuring that security will be handled in the most effective manner.


The extensive information covers a lot of area in order to bring about a truly beneficial security policy and is required in order to formulate the procedures with which to deal with security issues. It is up to the people playing the roles such as IT Security or Web Programmer to ensure they keep up on the latest technologies and security aspects in their field.


Therefore a lot of education as well as enough real world experience in dealing with Web Security is something a client seeking to have a Web Project created should be looking for, especially when dealing with sensitive, personal information, eCommerce or in the health fields where medical records are dealt with. Policies are a barrier between you and complications with legalities, and can be full of legal jargon. Research plays a large part in being thorough and successful where security is concerned.


For a Flowchart of what to expect when dealing with Web Security for Web Programmers, visit the following link...


http://www.tommyray.net/mypages/websecurity/images/Website-Security-Flowchart.png



















Bibliography:


http://www.sans.org/reading_room/whitepapers/securecode/security-checklist-web-application-design_1389


http://www.codediesel.com/security/6-simple-priciples-of-secure-website-design/


http://www.alistapart.com/articles/understandingprogressiveenhancement/